Lately, we've been tracking SEO attacks directing users to rogue AV sites. We've seen the people behind these attacks poisoning searches for many major world events, and some not-so-major ones as well. So it's kind of amusing — and annoying — to see F-Secure being used as the bait in this kind of thing.

We saw this search result pop up when searching for information about F-Secure:

Clicking on the link takes the user on a redirect path as follows:

After this, the attack follows the usual pattern of warning messages, misleading scan reports and so on:

Just in case it is not obvious, this looks nothing like our products.

Finally, the user is asked to install the following:

Which we detect as Rogue:W32/InternetAntivirus.BG. The detection covers the downloader, the downloaded installer and the main executable.